Full Disclosure mailing list archives
about the automated ssh login attempts
From: Jerome <jethro () docisland org>
Date: Thu, 29 Jul 2004 08:05:45 +0200
Hi list, setting up a honeypot, I was able to identify some of the activity associated with these login attempts. after the honeypot's been probed for guest and test login, I had someone login as test and fetch some tools from websites to use them on the honeypot. tools were fetched from some .ro website as per .bash_history and captured keystrokes. the toolkit I had the opportunity to have downloaded by the kid on the honeypot was made of a bunch of components: - ss : a copy of the "very fast" syn scanner by haitateam published latetly, at least on packetstorm - haita: apparently the tool used to bruteforce accounts strings -a haita | grep SSH SSH login bruteforcer by HaitaTeam *tho* guest and test accounts seem hardcoded, so unless they fix that, it's not gonna be a big threat for all of the other joes accounts around. and the final part: - scan.sh: which is the kiddie's best friend for using these 2 tools altogether: #!/bin/sh if [ $# != 1 ] then echo "Se da asa:" echo "$0 <clasa b>" echo "Exemplu:" echo "$0 212.93" echo "Daca nu prindeti ... verificati in fisieru \ asta sa fie pusa placa de retea care trebe adika \ eth0, eth1, ppp0 etc " exit fi rm -f bios.txt vuln.txt uniq.txt ./ss 22 -b $1 -i eth0 -s 6 cat bios.txt |sort | uniq > uniq.txt ./haita I also had some other toolkits on the honeypot after the breakin, most of them being local root exploits packed in a single archive, and some massrooter for years old remote vulnerabilities, but we all know them. I can provide with the bins if anyone's interested, but didn't bother yet to place them on some website, feel free to email. cheers, -- Jerome [pgp keyid : 33D7802F http://pgp.mit.edu] [key fingerprint : 82E6 C9C8 05D1 BEAC 9353 8ECB CEAF 6A0A 33D7 802F] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- about the automated ssh login attempts Jerome (Jul 29)